Security Experts:

Google Offers Big Bounties for Data Abuse Reports

Google announced on Thursday the launch of a new reward program for data abuse, and the expansion of the Google Play bounty program to include Android applications with over 100 million installs.

The Google Play Security Reward Program (GPSRP) now includes all the Android applications hosted on Google Play that have over 100 million installations, and vulnerabilities found in these apps will be rewarded by Google even if the developer does not have a vulnerability disclosure or bug bounty program.

If the developer does have a bug bounty program, researchers can receive rewards from both the developer and Google.

“In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” employees of Google’s Android Security & Privacy department explained in a blog post.

Google recently announced that it tripled and even quadrupled some of the rewards offered through the GPSRP. The company says it has paid out a total of more than $256,000 in bounties through this program, including $75,000 in July and August alone as a result of the higher rewards.

According to Google, data from the GPSRP helps it automatically scan all Google Play apps for vulnerabilities similar to the ones reported. Developers whose apps are found to be vulnerable are notified in the Play Console through the App Security Improvement program. Google says this program has helped over 300,000 developers address bugs in over one million apps.

Google also announced on Thursday the launch of the Developer Data Protection Reward Program (DDPRP). The DDPRP, run in collaboration with HackerOne, is meant to encourage security researchers to report Android apps, Chrome extensions and OAuth projects that use, sell or repurpose user data without consent, thus violating Google Play, Google API or Chrome Web Store policies.

“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed,” Google said.

Google says this program does not currently have clear reward guidelines, but a single abuse report can be worth as much as $50,000.

Facebook runs a similar data abuse program and the social media giant recently expanded it to include Instagram as well.

Related: Flaw in Outlook for Android Allows for Data Theft

Related: Google Paid Out $3.4 Million for Vulnerabilities Reported in 2018

Related: XSS Vulnerability Exposed Google Employees to Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.